WASHINGTON -- U.S. Rep. Rick Crawford, R-Ark., has introduced legislation to establish a governing body for developing risk and resilience requirements for water systems to protect networks from cybersecurity threats.
The bill, House Resolution 7922, would require the Environmental Protection Agency to certify a Water Risk and Resilience Organization responsible for proposing regulations to help drinking water and wastewater systems withstand cybersecurity disruptions, including malicious attempts to hinder services.
The organization also would need to propose implementation plans for its rules to ensure that systems can comply with new requirements.
Crawford, of Jonesboro, introduced the legislation with Rep. John Duarte, R-Calif.
"We just need to harden these assets and make them less vulnerable (and) equip our operators so that they know how to deal with it," Crawford told the Arkansas Democrat-Gazette. "Water operators at the municipal, county and state level need to be prepared and properly trained and armed with the right things to prevent these things from happening."
Crawford's bill follows federal officials voicing concerns about the vulnerability of water systems throughout the United States. EPA Administrator Michael Regan and National Security Adviser Jake Sullivan sent a letter to every governor in March inviting state partnerships in addressing cybersecurity risks.
"We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to and recover from a cyber incident," they said.
The officials cited Iran-affiliated attacks and China's sponsorship of efforts to gather information with plans to disrupt utility operations. An Iranian-backed group attacked a Pennsylvania water facility last November, during which hackers gained control of a remote booster station monitoring and regulating pressure.
"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," Regan and Sullivan wrote.
During an April 18 appearance at Vanderbilt University in Nashville, Tenn., FBI Director Christopher Wray said China's government is supporting cybersecurity attacks targeting the United States' infrastructure networks to wreak havoc "at a time of its choosing."
"To give you a sense of the scale of China's cyber activity, if all of the FBI's cyber agents and cyber intelligence analysts focused exclusively on China -- and not on ransomware, Iran or Russia -- Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1," Wray said.
"(China) has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."
From legislative and regulatory perspectives, Crawford said, the United States cannot allow cyber attacks to continue because of "failure of imagination."
"We need to start thinking about where are gaps, weaknesses and vulnerabilities and how are they exploitable," he said.
Two House committees have received the bill for first consideration before a possible full chamber vote. The Transportation and Infrastructure Committee and the Energy and Commerce Committee will each review the measure given the committees' respective jurisdictions on infrastructure and cybersecurity-related matters.
Crawford and Rep. Bruce Westerman, R-Ark., serve on the House Transportation and Infrastructure Committee, with Crawford already eyeing its chairmanship role for the next Congress.